A fast and versatile QKD system with hardware key distillation and wavelength multiplexing
Nino Walenta, Andreas Burg, Dario Caselunghe, Jeremy Constantin, Nicolas Gisin, Olivier Guinnard, Raphael Houlmann, Pascal Junod, Boris Korzh, Natalia Kulesza, Matthieu Legré, Charles Ci Wen Lim, Tommaso Lunghi, Laurent Monat, Christopher Portmann, Mathilde Soucarros, Patrick Trinkler, Gregory Trolliet, Fabien Vannel, Hugo Zbinden
aa r X i v : . [ qu a n t - ph ] S e p A fast and versatile QKD system with hardware keydistillation and wavelength multiplexing
Nino Walenta , Andreas Burg , Dario Caselunghe , JeremyConstantin , Nicolas Gisin , Olivier Guinnard , RaphaelHoulmann , Pascal Junod , Boris Korzh , Natalia Kulesza ,Matthieu Legr´e , Charles Ci Wen Lim , Tommaso Lunghi ,Laurent Monat , Christopher Portmann , , MathildeSoucarros , Patrick Trinkler , Gregory Trolliet , FabienVannel , Hugo Zbinden Group of Applied Physics-Optique, University of Geneva, Chemin de Pinchat 22,1211 Geneva, Switzerland idQuantique SA, Chemin de la Marbrerie 3, 1227, Geneva, Switzerland Telecommunications Circuits Laboratory, EPFL, 1015 Lausanne, Switzerland University of Applied Sciences Western Switzerland in Yverdon-les-Bains(HEIG-VD), Route de Cheseaux 1, CH-1401 Yverdon, Switzerland University of Applied Sciences Western Switzerland in Geneva (hepia), Rue de laPrairie 4, CH-1202 Geneva, Switzerland Institute for Theoretical Physics, ETH Zurich, Gloriastrasse 35, 8093 Zurich,SwitzerlandE-mail: [email protected] , [email protected] Abstract.
We present a 625 MHz clocked coherent one-way quantum keydistribution (QKD) system which continuously distributes secret keys over an opticalfibre link. To support high secret key rates, we implemented a fast hardware keydistillation engine which allows for key distillation rates up to 4 Mbps in real time. Thesystem employs wavelength multiplexing in order to run over only a single optical fibreand is compactly integrated in 19-inch 2U racks. We optimized the system consideringa security analysis that respects finite-key-size effects, authentication costs, and systemerrors. Using fast gated InGaAs single photon detectors, we reliably distribute secretkeys with rates up to 140 kbps and over 25 km of optical fibre, for a security parameterof ε QKD = 4 · − . fast and versatile QKD system with hardware key distillation and wavelength multiplexing
1. Introduction
Today’s society relies heavily on confidential and authenticated communication.Encryption and authentication can be realized with provable information-theoreticsecurity, derived from Shannon’s theory [1]. This means that even an adversarywho has unlimited computing powers can decipher an encrypted message or forge anauthenticated message only with arbitrarily small probabilities. To date, the onlymessage encryption scheme that has been proven information-theoretically secure [1]is the Vernam one-time pad cipher [2]. Secure message authentication has beendemonstrated for schemes utilizing universal hash functions [3, 4]. The fundamentalresources of these schemes are random and secret strings of bits, shared between thetwo distant parties commonly known as Alice and Bob. Hence, information-theoreticallysecure communication necessitates continuous distribution of random secret keys withprovable security. Classically, the generation of two identical key streams of trulyrandom bits at two distinct locations relies on the assumption of a secure channel orpublic-key cryptography. However, their security is based on certain assumptions, suchas the difficulty to factorize large composite integers, or to compute discrete logarithmsin certain finite groups.A completely different approach is quantum key distribution (QKD), introduced in1984 by Bennett and Brassard [5] (see Ref. [6] for a review). The idea is to send randombits encoded on non-orthogonal states of single photons. The security is based onthe laws of quantum mechanics, in particular the no-cloning theorem which forbids thecreation of identical copies of unknown quantum states and the fact that a measurementof an unknown quantum state inevitably disturbs it. Subsequent authenticatedcommunication between Alice and Bob enables a measure of the information aneavesdropper potentially possesses, and hence, its reduction. Seen in this light, QKDis essentially a key expansion scheme, that is, a short initial authentication key issufficient to generate continuously new information-theoretically secure keys [6]. Mostimportantly, the secret keys generated by QKD are universally composable, whichallows one to partially reuse them for authenticating the distillation processes ofsubsequent QKD rounds. Remaining bits are then available for message encryption andauthentication. QKD may also be used to enhance security of cryptography schemesbased on computational complexity, e.g., AES (Advanced Encryption Standard) canbenefit from regularly refreshed encryption keys.Since the mid 1990’s, QKD has progressed rapidly in several aspects. Startingfrom the early demonstration of feasibility experiments [7, 8], faster and faster (with bitrates on the order of Mbps [9, 10]) and long reaching systems (up to 250km [11, 12])have been developed. However, most of the early experiments focused only on thephysical layer: photon generation, manipulation, transmission and detection. Even upto today, systems which include all necessary components for secure and fast QKD arerare. Indeed, those components are numerous and need multidisciplinary competences(see Fig. 4). Important and often forgotten parts include random number generation, fast and versatile QKD system with hardware key distillation and wavelength multiplexing
2. QKD engine
The QKD system described in the following was designed to have the flexibility to adaptto different QKD implementations and protocols. A schematic of our implementationis shown in Fig. 1. It is built around FPGAs (field programmable gate array, XilinxVirtex 6) and manages the fast interfaces for the optical components, the classicalcommunication channels, all the sub-protocols which accompany QKD as well as thedistribution of the generated secret keys. The choice of the various parameters aswell as all the algorithms used for key distillation and authentication processes havebeen carefully chosen by taking into account various trade-offs between engineering andcost constraints. Importantly, we have taken special care to analyse and optimise alltasks with respect to reducing the requirements and resources such that only one singleFPGA is needed in each device. In general, compromises had to be found betweenthe post-processing key size ( ≥ bits), as required in finite-key scenarios analyzedin Appendix A, and limits imposed by the hardware in terms of memory size andthroughput. A personal computer (PC) is connected to each FPGA via PCI Expressto access the configuration, status and monitoring registers. The final secret key canbe transfered from the key manager to this PC and further distributed to externalapplications. Two communication links are established, a one-way quantum channel anda bidirectional classical service channel. All channels can be wavelength-multiplexed ona single fibre using DWDM. In the following, we describe in more detail the functionalityof each module of our QKD engine. For a more complete (and technical) description ofthe architecture of the code and the used algorithms, please refer to [14]. Quantum channel interface module:
Two digital 1.25 Gbps serial interfacetransceivers at each FPGA (for Alice and Bob) allow synchronised interconnectionwith the optical hardware of the quantum channel. At Alice, they output up totwo parallel streams of digital on-off pulses with adjustable amplitude and width,which are used to drive an electro-optical modulator for quantum state preparation. fast and versatile QKD system with hardware key distillation and wavelength multiplexing Figure 1.
Schematic of our optical implementation for the coherent one-way QKDprotocol and the key distillation procedures implemented in the fast FPGA hardware.
For the implementation of the COW protocol as presented later, one transceiver isneeded to drive an intensity modulator. Using the second transceiver as well, one cancontrol a dual-drive modulator and prepare all quantum states required by BB84 or thedifferential phase-shift (DPS) protocol, as we have shown in [15]. At Bob’s device, bothdigital transceivers are used, each connected to one single photon detector SPD D andSPD M , respectively. They provide the detector gate trigger if needed, and receive thedetection signals from the corresponding single photon detector. Digital delays with10 ps resolution allow temporal alignment of the detector gates with respect to thequantum signals, and temporal alignment of the detection signals with respect to Bob’sFPGA clock. Service channel interface module:
Two optical 2.5 Gbps SFP (Smallform-factor pluggable) transceivers (Finisar) on each side establish a bidirectionalclassical communication link between Alice and Bob. All tasks which are needed tocontinuously generate secret keys or to further use these keys, share this link employingtemporal multiplexing. These tasks requiring classical communication comprise inparticular synchronisation, alignment, sifting, parameter estimation, error correctionand verification, privacy amplification, authentication, key management, encryption,administration, and logging. Some of them strictly require authentication, some ofthem encryption, or even both as discussed later. The priority of each task, as wellas the allocated communication bandwidth, can be adjusted individually. We employdense wavelength-division multiplexing to transmit all classical communication channelstogether with the quantum channel simultaneously over a single fibre. The FPGAsystem clock of Bob is synchronised and phase stabilised with some 10 ps precision withthe master clock at Alice. All other necessary frequencies are derived from this clock,most importantly Alice’s quantum state modulation frequency and Bob’s detector gatefrequency. fast and versatile QKD system with hardware key distillation and wavelength multiplexing - - - - - - Detection probability S i f ti ng (cid:160) b it s (cid:160) p e r (cid:160) d e t ec ti on Shannon limitLong siftingShort sifting
Figure 2.
Number of bits per detection which have to be sent from Bob to Alice fordetection times and base sifting. Blue corresponds to short sifting blocks optimisedfor detection probabilities > . Sifting and sampling module:
This module realises sifting of incompatibledetections and optionally parameter estimation. Sifting comprises essentially threesteps. First, since a large fraction of photons is lost in the fibre link or is not detected,Bob discloses which of the qubits he detected, without revealing the detected bitvalue. Second, Bob announces for each detection his randomly chosen measurementbasis. Finally, Alice responds for each detection whether or not to discard it due toincompatible preparation and measurement basis. The first two sifting steps have tobe performed as fast as possible in order to allow Alice to sift out undetected andincompatible bits from her memory before exceeding the available buffer size. In eachsifting block, Bob encodes the detection time index of a detection relative to the index ofthe previous detection. Additionally, he attaches to each sifting block two control bits,which are used to indicate either the measurement basis for each detection, or emptyblocks when no detection occurred during the maximum time that can be encoded in asingle sifting block.The amount of bits exchanged during sifting has to be kept as small as possible,since this communication has to be authenticated at the cost of secret bits. The longerthe fibre, the more bits are needed to indicate the time (number of clock cycles) passedbetween two succeeding detections. We switch to 14 bits instead of 6, for detectionprobabilities smaller than 2 · − per gate. As shown in Fig. 2, our way to encodethe time information is very efficient (less than twice the Shannon limit) for detectionsprobabilities between 10 − − − per gate.Some QKD protocols, e.g. COW, use only one basis to obtain the raw key. Alldetection outcomes in the second basis are publicly revealed in order to estimate the phase error of the received quantum states. Bob reveals these measurement outcomesin the two control bits, too. If parameter estimation based on randomly revealing afraction of detection outcomes is required for the quantum bit error rate (QBER) inthe raw key, optionally a third control bit can be sent per detection. However, for the fast and versatile QKD system with hardware key distillation and wavelength multiplexing D . If double detectionsoccur in both time-bins of the same qubit, we assign a randomly chosen value. Alogical deadtime between 8 ns and 10 µ s can be applied after detection, during whichall detection are discarded to reduce impairment due to detector afterpulsing. Error correction and verification module:
Due to practical limitations in thepreparation of the quantum states, and due to detector noise and jitter, Bob’s siftedkey differs from Alice’s original key even in absence of eavesdropping. Therefore, aforward error correction (FEC) code is implemented in the FPGA as described in [16],which uses the quasi-cyclic LDPC (Low-density parity-check) code defined in [17]. Errorcorrection based on LDPC codes uses syndrome encoding with the advantage that onlynon-iterative one-way communication is required. Moreover, it’s efficiency in termsof revealed information can in principle approach the Shannon limit. Our FPGAimplementation for LDPC performs forward error correction on blocks of 1944 bitslength and provides rates up to 235 Mbps at 62.5 MHz clock frequency with ten decodingiterations. The LDPC code rate, i.e., the fraction of unpublished information, can be setto f EC ( Q ) ∈ { / , / , / , / } to adapt to the expected error rates. Bob calculatesall syndromes for a constant expected error rate, and forwards them to Alice throughan authenticated channel. Alice performs syndrome decoding and checks the parity. Ifan error occurred, the corresponding block is discarded. However, there is still a certainprobability that uncorrected errors remain after error correction, especially for errorrates larger than 6 % (see Fig. 3, left). To detect remaining errors, we implement asubsequent verification step, where Bob transmits a 48-bit hash checksum per LDPCcode block to Alice. The checksums are generated using polynomial hashing [3, 4],with a new random 48-bit seed for each checksum. The universal hash function israndomly chosen, and the collision probability on at least one of 512 subsequent blocks(corresponding to 995,328 bits input length for privacy amplification) is upper-boundedby ε VER ≤ . · − . For each block, the hash, as well as the random choice of hashfunction, are sent to Alice. If a checksum mismatch occurs, the associated block isdiscarded. Fig. 3 (left) shows for all implemented code rates the probability that averification fails as a function of the measured raw QBER. Bit error estimation module:
In every QKD protocol the amount of errors ofthe received quantum states has to be estimated in order to determine an upper boundon the fraction of information which could have leaked to an eavesdropper. The standardprocedure consists in random sampling of a subset of the sifted key, comparing the bitvalues over an authenticated channel, and calculating the error rate in each basis. Whilestraightforward, this method reduces the final secret key rate as all revealed outcomeshave to be discarded. Most importantly, it has a substantial impact for a finite-keyanalysis, since a small sample gives only an imprecise estimate on the true error rate inthe remaining, unrevealed detections. fast and versatile QKD system with hardware key distillation and wavelength multiplexing H a s h e rr o r p r ob a b ilit y (cid:144) (cid:144) (cid:144) (cid:144) E ff ec ti v e Q B E R Ref5 (cid:144) (cid:144) (cid:144) (cid:144) Figure 3.
Left: Measurement results for different code rates showing the probabilitythat the comparison between Alice and Bob’s verification hash tags indicates at leastone remaining error per 2048 bit block of error corrected keys. Right: Effective QBERunder the conservative assumption that during each block with verification hash failurethe eavesdropping attacks induced an error rate of 1 / To overcome these impairments, we perform parameter estimation exploiting ourknowledge about the correctness of the key after verification. Once we obtain 512 blocksof 1944 error corrected and verified bits, Alice compares them with her original randombit sequence [18]. By counting the total number of mismatches, an exact numberfor the true bit errors is obtained. Additionally, we take into account blocks whichwere dropped due to checksum mismatches during error verification. We conservativelyassume for each block with verification hash failure a maximum error rate of 1 / ε PE ≤ . · − . Privacy amplification module:
Our FPGA implementation of privacyamplification uses Toeplitz hashing [3, 4], a construction for families of universal hashfunctions, in combination with LFSR hashing as proposed in [19, 20]. This approach isvery efficient in terms of communication bandwidth needed to convey the chosen hashfunction, and allows parallelised computation and efficient, scalable implementation onthe FPGA hardware.The privacy amplification compression is the ratio between the length of the outputand input keys, i.e., the ratio between the number of rows and columns of the Toeplitzmatrix. In order to obtain high secret key rates based on finite-key analysis, we choosea fixed input length of 995,328 bits. As a consequence of this large block size, thesize of the resulting matrix is such that it has to be stored in an SDRAM outside theFPGA. Our hardware implementation for privacy amplification has shown to treat upto 48 Mbps input rate. Changing the output block length, the compression ratio canbe adjusted over the full range between 0 −
100 % in steps of 0.05 %. We optimise andfix the compression ratio once in advance for a given scenario. Then, we verify for each fast and versatile QKD system with hardware key distillation and wavelength multiplexing
Authentication module:
The classical communication channel is authenticatedin order to prevent an eavesdropper from forging messages, which would open the doorfor man-in-the-middle attacks. For information-theoretically secure authentication, weuse a combination [21] of ε AUT -almost strongly universal hash functions in combinationwith a strongly-universal family of hash functions named polynomial hashing [3, 4],which is very efficient with respect to consumed secret bits as well as required operations.Bob randomly and secretly selects a hash function from this family to calculate a hashtag for each transmitted message, and sends the hash tags together with the messagesto Alice. To verify that the transmission has not been forged, Alice has to know whichhash functions Bob has chosen to be able to verify the hash tags for the receivedmessages. Only when her calculated and the received tag for a message match, then it isconsidered valid. We send a new 127-bit authentication tag for every 2 bits of classicalcommunication to obtain a collision probability of ε AUT ≤ − . This approach wouldrequire 383 secret bits to select a new hash function for every tag. However, recently ithas been shown that the same hash function can be reused for multiple authenticationrounds if the tags attached to the messages [22] are one-time pad encrypted. Thisauthentication scheme is proven ε -universal-composable-secure even if ε -almost stronglyuniversal hash functions are used and provides a bound for its information leakage. Thisstrategy reduces the secret key consumption to one third, since only 127 bit secret keysare needed to encrypt each tag instead of 383 secret bits to select a new hash function. Random number generation module:
Random numbers are extensively neededduring preparation for selecting the quantum states, as well as during key distillation,e.g., to generate the privacy amplification matrices. These random bits must beprovided by true quantum random number generators, ideally quantum random numbergenerators (QRNGs) where up to 2 GHz output rates have been demonstrated [23] todate. However for the time being, we use a commercial QRNG [24] (certified by SwissFederal Office of Metrology). Since its bit rate of 4 Mbps is by far not sufficient,we implement the NIST SP800-90 recommended AES-CTR cryptographically securepseudo-random number generator that uses seeds of 256 bits provided by the QRNG togenerate up to 1.1 Gbps random bits. We note that due to AES, the random numberexpansion protocol is the only part of the entire system for which we can’t provide aninformation-theoretic security statement.
Key manager:
A fraction of the privacy amplified, secret keys is transfered by thekey manager to the authentication module. Once their authenticity has been verified, thekey manager distributes the remaining keys to an internal OTP encryption application,or via a PCI Express link to a PC and further to external consumers, e.g networkencryptors. fast and versatile QKD system with hardware key distillation and wavelength multiplexing
3. COW protocol and implementation
The presented QKD system provides the flexibility to drive different QKD protocols[15]. In the following, we present the implementation of the coherent one-way (COW)protocol [25].
The COW protocol belongs to the class of distributed phase reference protocolsand seeks to enable long fibre distance QKD while maintaining a simple and convenientsetup. The advantages of the COW protocol are that it allows implementation ofa completely passive receiver, without any active element for base choice, requiringonly two single photon detectors. Its implementation is robust against birefringencefluctuations, fibre transmission losses and photon number splitting attacks. A schematicof the setup is sketched in Fig. 1.Following the COW protocol, Alice encodes each bit value by the choice of sendinga weak coherent pulse in one out of two possible time-bins, while the other time-bin contains the vacuum state. Formally, these quantum states can be written as | β i n = | α i | vac i and | β i n = | vac i | α i , where α is the complex coherent stateamplitude with an average photon number per time bin µ = | α | <
1, and n labels thequbit index. These states can be discriminated optimally by a simple time-of-arrivalmeasurement. In addition, a third state called decoy sequence with both time-binscontaining weak coherent pulses is randomly prepared, i.e. | β d i n = | α i | α i .As for distributed-phase-reference QKD, the integrity of the quantum channel ismonitored using an imbalanced interferometer. It measures the coherence betweenpulses in two successive, non-empty time-bins, either within a bit when a decoy sequencewas prepared, or across bit separation whenever corresponding sequences are prepared.Latter measurement across bit separation renders photon number splitting attacks onindividual states less powerful as the adversary reduces the interference visibility iftrying to discriminate individual states. As a consequence, the optimal average numberof photons which can be sent per qubit becomes independent of the fibre transmission,but dependent on QBER and visibility. Security against zero error attacks and restrictedcollective attacks was proven, including imperfections of the state preparation [26]. Note,that a general security proof was obtained for a modified COW protocol [27], which,however, involves more intricate hardware. Alice’s optical QKD module:
The coherent light source is a continuous-wavedistributed feedback laser diode (Agilecom) with a sufficiently long coherence timeof >
300 ns. It is compatible with 100 GHz DWDM telecom standard, and its centralwavelength regulated by a thermo-electric controller (TEC) to λ = 1551 .
72 nm (ITUchannel 32) [28].An integrated LiNbO intensity modulator (IM, Photline MX-LN 20) prepares theCOW states. It tailors the continuous optical signal in a coherent train of short pulses,according to the states selected by the random number generator. The correspondingdigital on-off signals are provided through the high-speed serial interfaces of the FPGA,reshaped to clean pulses of 50 −
400 ps duration, and amplified to appropriate voltage fast and versatile QKD system with hardware key distillation and wavelength multiplexing
Bob’s optical QKD module:
At Bob’s quantum channel input, an opticalisolator prevents information leakage due to detector backfiring or back-reflection ofpotential Trojan horse attacks. A 45 pm spectral fibre Bragg grating (FBG, aos)filter with 1 . D measures the photon arrival timein the data line to obtain the raw key, SPD M detects the output of the imbalancedinterferometer (IF) in the monitoring line. For the results presented in sec. 4, SPD D is a sine gated InGaAs avalanche photo diode (APD) with a frequency of 1.25 GHz asdescribed in [29]. Its gate width (FWHM) is 130 ps which proves to be a good tradeoffbetween sufficiently low afterpulsing while maintaining a good detection efficiency. Theefficiency is varied in the range of 6-10 %, maximising the final secret key rate. For theconsidered fibre distances, the dark counts are no limiting factor and the highest keyrate was indeed obtained at room temperature (20 ◦ C). At this temperature, the darkcount probability is about 10 − per gate at 10 % efficiency.As the monitoring detection rate is much smaller, SPD M is a free-running negativefeedback InGaAs APD [30]. Applying 20 µ s deadtime, its dark count rate was typically800 Hz at 20 % detection efficiency. Importantly, its timing jitter is only 200 ps(FWHM), sufficiently low to discriminate time-bins at 1.25 GHz. The gate times forboth detectors are derived from the clock signal distributed over the service channel,and are digitally delayed to compensate for any temporal delay between quantum andservice channel. fast and versatile QKD system with hardware key distillation and wavelength multiplexing Figure 4.
Photo of the opened QKD devices. Each system is compatible with19-inch 2U industrial cases and houses all the electronics, optics and interfacesto distribute quantum keys, use the QKD keys for Ethernet authentication andone-time pad encryption, and to additionally supply them to external consumersdevices. In consideration of security aspects, their interior is completely mechanicallyencapsulated, while thermal stabilisation is provided by two external fans. Usingexternal 19-inch 1U DWDM modules (bottom), both devices were connected by onlyone single telecom fibre and have demonstrated stable QKD functionality with asecurity guarantee of ε QKD = 4 · − over more than 25 km distance. The Michelson type IF as sketched in Fig. 1 is made up of a fibre coupler withtwo Faraday mirrors terminating the two arms. The arms are cut such that its lengthdifference corresponds to half of the separation between consecutive time bins. Themeasured free-spectral range of 1 .
247 GHz matches very well the target frequencyof 1 .
25 GHz. The IF has 1 . > . Mechanical housing and DWDM modules:
Each QKD device is integratedin a 19-inch 2U housing as shown in Fig. 4. It provides a power input, a single modefibre connector (APC) for the quantum channel, a PCI-Express link to the controlPC, and two SFP slots for the service channel and an optional external encryptor.Importantly, despite these connectors the mechanical housing is perfectly encapsulatedfrom the environment to prevent any other physical attack point than through theoptical fibre. In particular, the arrangement of all components has been carefully chosento maintain an efficient heat release and to guarantee maximum stability, although thecooling air flows only outside around the device without entering it.During all key exchanges presented here, we used one single optical fibre anddense wavelength-division multiplexing (DWDM) for quantum and all classical channels. fast and versatile QKD system with hardware key distillation and wavelength multiplexing ç ç çó ó ó × × × × × Fibre length @ km D S ec r e t k e y r a t e @ bp s D Raw secret key rate ç Authenticated secret key rate ó ç ç çá á áà à à @ km D Q B E R V i s i b ilit y Parameterestimationby
Key - comparison ç Sub - sampling á Figure 5.
Left: Secret key rates after privacy amplification (blue circles) andauthenticated secret key rate (purple triangles) which accounts for secret keyconsumption for authenticating the classical communication channel. We considered asecurity analysis that respects finite-key-size effects, authentication costs, and systemerrors with a security parameter of ε QKD = 4 · − . Right: QBER and raw visibilityresults before removing dark counts. We implemented external DWDM modules for Alice and Bob in separate 19-inch 1Ucases, comprising a 100 GHz multiplexer (OptiWorks) and a variable optical attenuator(OptoLink) to minimise the power of the transmitted classical channels. Themultiplexers have an isolation of 80 dB and an insertion loss of 1 .
4. Experimental results
We tested the system over fibre lengths between 1 −
50 km using rapid sine gated singlephoton detectors [29] as well as free-running single photon detectors (id220, IDQ). Allclassical and quantum communication channels were multiplexed onto a common fibre.Using different configurations of the distillation engine we optimised the key rates fora security parameter of 4 · − , while respecting a security analysis for finite-key-sizeeffects, authentication costs, and system errors.For the measurements which we discuss in the following, we obtained the highestsecret key rate using an LDPC error correction code rate of 3 /
4, parameter estimationbased on key comparison, and longer sifting blocks to encode the detection times in14 bits. The secret key rate which is provided by the FPGA distillation engine afterprivacy amplification, is shown in Fig. 5 (left, circle). Multiplexing quantum andclassical channels over a single 1 km fibre, secret keys were distributed at a rate of144.5 kbps. Over a single 25 km long fibre, we obtained after privacy amplification asecret key rate of 22.5 kbps. The useful rate of secret bits available for applications,e.g., internal one-time-pad encryption or external encryptors is shown as red triangle inFig. 5 and accounts for secret bit consumption to encode the authentication tags.
Parameter optimisation:
For each setting we optimised several parameters tomaximise the final authenticated secret key rate. These are summarised in Table 1. For fast and versatile QKD system with hardware key distillation and wavelength multiplexing Figure 6.
Key rates (left), QBER and visibility (right) demonstrating the stability ofan autonomous QKD run for a period of more than 11 hours. Alice’s and Bob’s deviceswere connected by a single 12.5 km fibre. The secret key rate (left, red) accounts forfinite-key effects, the authenticated key rate (left, purple) for the consumption of secretkeys to encrypt the authentication tags. longer fibres, the average photon number was increased and the detection efficiencydecreased in order to compensate for increasing impairment due to DWDM noise(Raman scattering and crosstalk) and dark counts. Such, the quantum bit error ratewas maintained close to the maximum QBER which could be efficiently corrected withthe chosen LDPC code rate (see Fig. 3). For the different fibre lengths we obtained aQBER (before subtracting dark counts) as shown in Fig. 5 (right). The QBER increasesfor longer fibres and is considerably larger than the error rate which we estimated usingsub-sampling instead. This additional contribution stems from blocks of error correctedbits, which haven’t passed the subsequent hash tag verification. For these blocks weconservatively attribute a-priori an error rate of 1 / . Stability:
In Fig. 6 we show thestability in terms of key rates, QBER and visibility for an autonomous QKD run overa period of more than 11 hours using a single 12.5 km DWDM fibre link. The resultsclearly reflect the good stability of all system components including synchronisation andalignment, Alice’s state preparation, Bob’s interferometer and single photon detectors, fast and versatile QKD system with hardware key distillation and wavelength multiplexing Fibre length [km] 1 km 12.5 km 25 kmPulse amplitude µ . ± .
01 / 1 .
98 1 . ± .
02 / 3 .
03 1 . ± .
03 / 3 . .
41 0 .
76 0 . .
05 0 .
11 0 . . ± .
14 98 . ± .
13 97 . ± . . ± . · (5 . ± . · (3 . ± . · Secret key rate [bps] 1 . · . · . · Authenticated key rate [bps] 1 . · . · . · Table 1.
Parameters and measurement results summarizing the performance of theQKD prototype for information theoretic secure key distribution with an securityparameter of 4 · − . and the whole distillation engine. The average raw quantum bit error rate as measuredby comparing Alice’s error corrected key with her original key was 1.91 % over the wholemeasurement period (Fig. 6, right). The raw visibility before subtracting dark countshad an average of 98.1 %, and was constantly above 97.0 %. Considering finite-keysecurity with ε QKD = 4 · − , we applied a compression factor of 0.12, and accountingfor the fraction of blocks which were discarded due to verification failures, the resultingsecret key rate was 62 . Authentication costs:
The secret key rates usually presented are the key ratesafter privacy amplification, i.e., they do not account for secret bit consumption to encodethe authentication tags. Therefore, Fig. 7 shows the amount of classical communicationaccompanying key distillation as well as the fraction of secret bits which are consumed toencrypt authentication tags of 127 bit per 10 bits of classical communication. The leftside of Fig. 7 shows the amount of classical information which has to be communicatednormalised per secret bit, as well as in terms of authenticated fraction of secret bitswhich is left after authentication. It reveals, that for all considered fibre lengths, theleast fraction of secret bits consumed for authentication is obtained if we use long siftingblocks and parameter estimation based on key comparison (circles). For a fibre of 1 kmlength, 217 classical bits have to be communicated per secret bit. Correspondingly, afraction of 2.7 % of secret bits is needed for authenticating this communication, i.e.the authenticated key rate amounts to 97.3 %. It increases up to 412 bits of classicalcommunication per secret bit for a 25 km fibre, where 5.0 % of secret bits are neededfor authentication, corresponding to a authenticated key rate of 95.0 %. Much more fast and versatile QKD system with hardware key distillation and wavelength multiplexing ç ç çõ õ õç ç çõ õ õ × × × × × Fibre length @ km D A u t h e n ti ca t e dk e y fr ac ti on C l a ss i ca l b it r a t e @ p e r s ec r e t b it D Detection time encoding
Long ç Short õ ç õ ç õ ç õ @ km D C o mm un i ca ti on r a t e @ % D à Sifting à PA à LDPC à Verification à Authentication
Figure 7.
Amount of classical information accompanying QKD. Left: Totalcommunication rates per secret bit and fraction of secret bits remaining afterauthenticating the classical communication channels. At least 2.7 % of secret bitsare consumed for authentication, i.e., to encrypt the authentication tags of 127 bitsper 10 bits of classical communication. Right: Communication rates broken down byindividual sub-protocols for the considered fibre lengths. The rates are dominated bythe amount of sifting information sent from Bob to Alice which adds up to 94 −
99 %,depending on the specific configuration. classical information has to be sent and authenticated, if short sifting blocks with only6 bits instead of 14 bits are used to encode the detection times, and nearly 20 % of allsecret bits are consumed for authentication (triangles in Fig. 7).The origin of the different authentication losses is illustrated in Fig. 7 (right), wherewe compare the communication rates broken down by each individual sub-protocol.With more than 94 % the largest amount of information is sent for sifting. More than oneorder of magnitude less, up to 4.5 %, for communicating the randomly chosen Toeplitzmatrices for privacy amplification. At most 1 .
5. Conclusions and outlook
To conclude, we have presented a fully integrated versatile QKD platform thatcomprises of a hardware key distillation engine, dense wavelength-division multiplexing fast and versatile QKD system with hardware key distillation and wavelength multiplexing · − . Our QKD platform has the flexibility to not onlysupport the coherent one-way protocol, but additionally provides all the means to runthe differential phase-shift QKD protocol, as well as phase-time qubit BB84. The systemis compactly mounted in standard industrial 19-inch 2U housings.All results were obtained using a 1-fibre DWDM configuration with all quantumand classical communication channels multiplexed in one common fibre, and taking intoaccount finite key security for a block size of 10 bits. However, we want to stress thatdepending on the specific usage scenario and security requirements, the maximum secretkey rate as well as the maximum fibre length can easily be increased. As an example, weperformed the same set of measurements while neglecting finite-key effects, and obtainedafter authentication an asymptotic key rate of 293 kbps and 1.3 kbps for a fibre lengthof 1 km and 50 km, respectively. A further increase by more than a factor of two inboth, key rate and distance, can be expected if instead of multiplexing all channels overone single fibre, two fibres are available, one dark fibre for the quantum channel and asecond fibre for the classical communication channels.
6. Acknowledgments
We gratefully acknowledge the valuable discussions with Renato Renner, Marcos Curtyand Christoph Pacher. Furthermore, we thank Herv´e Gouraud from Photline for hiskind support. This research project was financially supported by the Swiss Nano-Teraproject QCRYPT and the National Center of Competence in Research QSIT.
Appendix A. COW finite-key rates
We consider a coherent one-way transmitter at Alice as depicted in Fig. 1 which preparestime-bin qubits with a frequency f Q . In general, the prepared quantum state after atime t N = N /f Q can be written in the form of a product state | Ψ i N = ⊗ N n =1 | ψ ( b n , v n ) i n (A.1) | ψ ( b n , v n ) i n = ⊗ n bit − i =0 | α ( b n , v n , i ) i n · n bit − i (A.2)of coherent quantum states | α i τ . Their complex amplitudes α in temporal mode τ depends on Alice’s random choice of basis b n ∈ { , } and bit value v n ∈ { , } . Wehave introduced a parameter n bit = f gate /f Q which accounts for the implementationswhere n bit successive temporal modes are used to distinguish the states. It is n bit = 2for COW and BB84 phase-time qubits, while for DPS n bit = 1. Whenever Alice chooses fast and versatile QKD system with hardware key distillation and wavelength multiplexing b n = 0, she prepares a quantum state corresponding to a bit value | ψ (0 , i n = (cid:12)(cid:12)(cid:12)(cid:12)r µ (1 + η IM ) (cid:29) n ⊗ (cid:12)(cid:12)(cid:12)(cid:12)r η IM · µ (1 + η IM ) (cid:29) n − | ψ (0 , i n = (cid:12)(cid:12)(cid:12)(cid:12)r η IM · µ (1 + η IM ) (cid:29) n ⊗ (cid:12)(cid:12)(cid:12)(cid:12)r µ (1 + η IM ) (cid:29) n − (A.3)Here, µ = | α | is the mean value of the Poissonian distributed number of photons percoherent state, and 0 ≤ η IM ≤ η IM = 0, and eq. (A.3) becomes (cid:12)(cid:12) √ µ (cid:11) ⊗ | i and | i ⊗ (cid:12)(cid:12) √ µ (cid:11) . Whenever Alice chooses b n = 1 with probability p Decoy a decoy sequence,irrespective of the bit value she prepares | ψ (1 , i n = | ψ (1 , i n = |√ µ i n ⊗ |√ µ i n − (A.4)The goal of Alice and Bob is to maximize the COW secret key rate (per preparedstate) r sec which can be distilled from the transmitted and detected states r sec = r det · β sift · β est · f sec · β auth (A.5)= r sift · (1 − η PE ) · f sec · (1 − η MAC ) (A.6)where r det is the detection rate (per prepared bit) in Bob’s detector SPD D . Further, β sift , β est , f sec , β aut signify the key size reductions during sifting, parameter estimation,privacy amplification and authentication, respectively. In the considered COWimplementation, a fraction β sift = (1 − p Decoy ) / (1 + p Decoy ) of all detections in SPD D is discarded during sifting. Furthermore, it is β est = 0 .
875 if we perform parameterestimation based on sub-sampling, and β est = 1 if we estimate the QBER by keycomparison.Including finite-key-size effects, the secret key fraction f sec under the assumption ofa restricted collective attack [26] is given for a QBER Q by the Devetak-Winter bound f sec = 1 − leak EC − leak VER − ( Q + δQ ) − (1 − Q − δQ ) · h (cid:20) (cid:21) − β smooth − β EC − β PA (A.7)The leakage of the error correction scheme leak EC is in the ideal case the binary entropy h [ Q ], while in the implementation at present, leak EC = 1 − f EC , with the chosen LDPCcode rate f EC ∈ { / , / , / , / } . The leakage from the verification step after errorcorrection amounts to leak VER = l/b = 0 .
023 with l = 48 bits the length of eachverification hash tag, and b = 2048 bits the block length per verification. The overlap∆ = |h ψ | ψ i| between the two bit states is for an observed visibility V ∆ =(2 · ( V − δV ) − · e − µ − · √ − e − · µ · p ( V − δV ) · (1 − ( V − δV )) (A.8) fast and versatile QKD system with hardware key distillation and wavelength multiplexing δQ = s η PE · ( n PP − η PE · n PP ) · Log (cid:20) ǫ PE (cid:21) (A.9)In contrast, for parameter estimation based on key comparison, no uncertainty fromstatistical fluctuations impair the QBER, i.e. δQ = 0 (A.10)However, in both cases the deducible visibility is limited by an uncertainty δV due tothe finite-key-size as δV = s · (cid:18) Log (cid:20) ǫ V PE (cid:21) + 2 · Log [ n V + 1] (cid:19) /n V (A.11) n V is the number of useful detections in the monitor detector from which the visibility iscalculated. In the trusted detector scenario the secret key rate is optimized using QBERand visibility values that are corrected for detector errors, which can not be exploitedor manipulated by an eavesdropper, e.g. dark counts. For the leakage term in eq. (A.7),the uncorrected QBER value must be considered.Furthermore, we account in equation (A.7) for the reduction β smooth due touncertainty induced by smoothing the min-entropy, and the failure probabilities β EC and β PA of the error correction and privacy amplification protocols [34] β smooth = 7 · s log (cid:20) ε Smooth (cid:21) /n PP (A.12) β EC = Log (cid:20) ε EC (cid:21) /n PP (A.13) β PA = 2 · Log (cid:20) ε PA (cid:21) /n PP (A.14)where the respective ε -parameters specify the confidence interval. For the presentedimplementation, the key length after parameter estimation n PP = β est · n SIFT equals thesifted key rate as no bit values are revealed for estimating Q . Instead, the errors aremeasured by comparing the original bit string with the corrected one, which limits ε EC to the confidence interval of subsequent error verification ( ε EC = ε VER = 8 · − ). Thetotal security parameter of the system is then fixed by the sum ε QKD = ε sec = ε VIS + ε Smooth + ε PA + 2 · ε VER + ε MAC = 4 · − (A.15)Note the factor of two for ε VER to account for failures in the QBER measure as well asthe verification step. fast and versatile QKD system with hardware key distillation and wavelength multiplexing n SIFT after sifting enteringthe further distillation post-processing which in our system is limited by the allocatedhardware memory to n SIFT = 995 ,
328 bits. From this number of bits the respectivenumber of useful detections n V in the monitoring detector which is used to estimate thevisibility is derived as n V = n SIFT · p Decoy + ( p Decoy ) − p Decoy · (1 − t B ) t B (A.16)Here, the first factor is the normalization since we use all useful monitor detections,the second factor specifies the number of useful events due to decoy sequences andcombinations across bit separations, and the third factor accounts for the beam splittingratio. Any additional losses or differences in the detection efficiencies between data andmonitor detector can be incorporated by a respective choice of the beam splitting ratio t B and detection efficiency η D . Note that hypothetically, we assume an additional detectorat the bright interferometer port, however, in practice this detector is not necessary. References [1] Claude Elwood Shannon. A mathematical theory of communication.
Bell System TechnicalJournal , 27:379–423 and 623–656, 1948.[2] Gilbert S. Vernam. Cipher printing telegraph systems for secret wire and radio telegraphiccommunications.
J. Am. Inst. Electr. Eng. , 45:109–115, 1926.[3] J. Lawrence Carter and Mark N. Wegman. Universal classes of hash functions.
Journal ofComputer and System Sciences , 18(2):143 – 154, 1979.[4] Mark N. Wegman and J. Lawrence Carter. New hash functions and their use in authenticationand set equality.
Journal of Computer and System Sciences , 22(3):265 – 279, 1981.[5] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and coin tossing.In
Int. Conference on Computers, Systems and Signal Processing , pages 175–179, 1984.[6] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden. Quantum cryptography.
Reviews of ModernPhysics , 74(1):145–195, 2002.[7] Charles Bennett, Franois Bessette, Gilles Brassard, Louis Salvail, and John Smolin. Experimentalquantum cryptography.
Journal of Cryptology , 5:3–28, 1992.[8] A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and N. Gisin. ”Plug and play” systemsfor quantum cryptography.
Applied Physics Letters , 70(7):793–795, 1997.[9] A. Tanaka, M. Fujiwara, K. Yoshino, S. Takahashi, Y. Nambu, A. Tomita, S. Miki, T. Yamashita,Z. Wang, M. Sasaki, and A. Tajima. High-Speed Quantum Key Distribution System for 1-MbpsReal-Time Key Generation.
Quantum Electronics, IEEE Journal of , 48(4):542 –550, April 2012.[10] A. R. Dixon, Z. L. Yuan, J. F. Dynes, A. W. Sharpe, and A. J. Shields. Continuous operation ofhigh bit rate quantum key distribution.
Applied Physics Letters , 96(16):161102, 2010.[11] Damien Stucki, Nino Walenta, Fabian Vannel, Rob T. Thew, Nicolas Gisin, Hugo Zbinden, S Gray,C R Towery, and S Ten. High rate, long-distance quantum key distribution over 250 km of ultralow loss fibres.
New Journal of Physics , 11(7):075003, 2009.[12] Shuang Wang, Wei Chen, Jun-Fu Guo, Zhen-Qiang Yin, Hong-Wei Li, Zheng Zhou, Guang-CanGuo, and Zheng-Fu Han. 2 GHz clock quantum key distribution over 260 km of standard telecomfiber.
Opt. Lett. fast and versatile QKD system with hardware key distillation and wavelength multiplexing Andreas Burg. An FPGA-based Secret Key Distillation Engine for Quantum Key DistributionSystems. in preparation , 2013.[15] Boris Korzh, Nino Walenta, Raphael Houlmann, and Hugo Zbinden. A high-speed multi-protocolquantum key distribution transmitter based on a dual-drive modulator. arXiv:1306.5940 , 2013.[16] C. Roth, P. Meinerzhagen, C. Studer, and A. Burg. A 15.8 pJ/bit/iter quasi-cyclic LDPC decoderfor IEEE 802.11n in 90 nm CMOS. In
Solid State Circuits Conference (A-SSCC), 2010 IEEEAsian , pages 1–4, Nov. 2010.[17] IEEE Standard for Information technology–Telecommunications and information exchangebetween systems–Local and metropolitan area networks–Specific requirements Part 11: WirelessLAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 5:Enhancements for Higher Throughput.
IEEE Std 802.11n-2009 , pages c1 –502, 10 2009.[18] Christoph Pacher, Gottfried Lechner, Christopher Portmann, Oliver Maurhart, and MomtchilPeev. Efficient QKD postprocessing algorithms. Poster presentation at QCrypt 2012,Singapore., 2012.[19] Yishay Mansour, Noam Nisan, and Prasoon Tiwari. The computational complexity of universalhashing.
Theoretical Computer Science , 107(1):121 – 133, January 1993.[20] Hugo Krawczyk.
LFSR-based hashing and authentication , volume 839, pages 129–139. Springer-Verlag, 1994.[21] D. R. Stinson. Universal hashing and authentication codes.
Designs, Codes and Cryptography ,4:369–380, 1994.[22] Christopher Portmann. Key recycling in authentication. arXiv:1202.1229 [cs.IT] , 2012.[23] T. Symul, S. M. Assad, and P. K. Lam. Real time demonstration of high bitrate quantum randomnumber generation with coherent laser light.
Applied Physics Letters
Applied Physics Letters , 87:194108, 2005.[26] C. Branciard, N. Gisin, and V. Scarani. Upper bounds for the security of two distributed-phasereference protocols of quantum cryptography.
New Journal of Physics , 10:013031, 2008.[27] Tobias Moroder, Marcos Curty, Charles Ci Wen Lim, Le Phuc Thinh, Hugo Zbinden, and NicolasGisin. Security of Distributed-Phase-Reference Quantum Key Distribution.
Phys. Rev. Lett. ,109:260501, December 2012.[28] ITU-T Recommendation G.694.1 Spectral grids for WDM applications: DWDM frequency grid,02 2013.[29] Nino Walenta, Tommaso Lunghi, Olivier Guinnard, Raphael Houlmann, Hugo Zbinden, andNicolas Gisin. Sine gating detector with simple filtering for low-noise infra-red single photondetection at room temperature.
Journal of Applied Physics , 112(6):063106, 2012.[30] Tommaso Lunghi, Claudio Barreiro, Olivier Guinnard, Raphael Houlmann, Xudong Jiang,Mark A. Itzler, and Hugo Zbinden. Free-running single-photon detection based on a negativefeedback InGaAs APD.
Journal of Modern Optics , 59:1481–1488, October 2012.[31] Nano-Tera Annual Plenary Meeting. May 30th-31st, 2013 in Bern, Switzerland, 05 2013.[32] QCrypt 2013 - 3rd international conference on quantum cryptography. August 59, 2013 inWaterloo, Canada, 08 2013.[33] Yousuke Sano, Ryutaroh Matsumoto, and Tomohiko Uyematsu. Secure key rate of the BB84protocol using finite sample bits.
Journal of Physics A: Mathematical and Theoretical ,43(49):495302, 2010.[34] Marco Tomamichel, Charles Ci Wen Lim, Nicolas Gisin, and Renato Renner. Tight finite-keyanalysis for quantum cryptography.